Nicholas Economidis, underwriter at specialist insurance provider the Beazley Group, said the biggest mistake hotels can make regarding guest credit theft is thinking, “This cannot happen to me.” Hackers, he said, are opportunistic and do not discriminate by segment or location. They are after credit-card information because it is the most commonly stored data from business to business, and they look for any open door to get to it.

Harry Gorstayn, GM of the Radisson Blu Mall of America, in Bloomington, Minn., said his hotel no longer stores credit-card information. Instead, when a card is swiped at the property, he said, it is associated with a code, not a personal identification number. If a breach were to take place, hackers would only obtain codes that were meaningless to them.

Economidis said anything from hackers and electronic intrusion to malware could be the source of a breach. Even employees responding to credit-card provider requests could present an opening to data thieves.

Once data have been compromised, security experts can easily lock the thieves out, but it is difficult to know when a system has been infiltrated. If a breach occurs, Economidis said, the incoming forensic audits can be managed to avoid paying maximum penalties.

For example, Economidis said if a company reporting a breach determines that 25,000 accounts were compromised and 100,000 may be vulnerable, auditors will treat the situation as if 125,000 accounts were lost.

“Hotels need to work with auditors to reduce the numbers to a definite,” Economidis said. “You need to be an active participant in the process. Don’t make conservative assumptions; you can help them find better information.”